Categories

ID #1169

How do I change the OU in LDAP?

How do I change the OU in LDAP for Bright?

 

This is two step process:

1. Make LDAP use an HDB database instead of an BDB database.

2. Change the OU value.

 

 

1. Migrate LDAP from using BDB database to HDB database

This must be done to be able to modify the non-leaf entry (ou=Group,dc=cm,dc=cluster) which is not supported by the BDB-type database

 

a. stop LDAP service

# service ldap stop

 

b. export the current LDAP BDB database, so that it can be imported as an LDAP HDB database

# module load openldap

# slapcat -f /cm/local/apps/openldap/etc/slapd.conf -l mydb.ldif

 

c. modify the database directory and the type of the database:

# cat /cm/local/apps/openldap/etc/slapd.conf

[...]

database        hdb

[...]

# The database directory MUST exist prior to running slapd AND

# should only be accessible by the slapd and slap tools.

# Mode 700 recommended.

directory       /var/lib/ldap2

[...]

 

d. create the database directory

# mkdir -p /var/lib/ldap2

 

e. import the ldap BDB database into a temporary file

# slapadd -f /cm/local/apps/openldap/etc/slapd.conf -l mydb.ldif

53063275 hdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap2: (2).

Expect poor performance for suffix "dc=cm,dc=cluster".

-#################### 100.00% eta   none elapsed             02s spd   1.5 k/s

Closing DB...

 

f. fix the permissions of the database directory:

# chown -R ldap:ldap /var/lib/ldap2/

 

g. restart the LDAP service

# service ldap restart

Stopping slapd:                                            [  OK  ]

[...]

Starting slapd:                                            [  OK  ]

 

2. Create the Organizational Unit (OU) and modify the LDAP entries accordingly

This must be done to allow user management through cmsh/cmgui.

 

a. add the OU

# cat ou.ldif

dn: ou=DisabledUsers,dc=cm,dc=cluster

changetype: add

ou: DisabledUsers

objectClass: top

objectClass: organizationalUnit

 

# ldapmodify -x -h localhost -D 'cn=root,dc=cm,dc=cluster' -w <password> -c -f /root/ou.ldif

 

b. move the root bind under the OU:

# cat root.ldif

dn: cn=root,dc=cm,dc=cluster

changetype: moddn

newrdn: cn=root

deleteoldrdn: 1

newsuperior: ou=DisabledUsers,dc=cm,dc=cluster

 

# ldapmodify -x -h localhost -D 'cn=root,dc=cm,dc=cluster' -w <password> -c -f /root/root.ldif

 

c. move the read-only root under the OU:

# cat roroot.ldif

dn: cn=readonlyroot,dc=cm,dc=cluster

changetype: moddn

newrdn: cn=readonlyroot

deleteoldrdn: 1

newsuperior: ou=DisabledUsers,dc=cm,dc=cluster

 

# ldapmodify -x -h localhost -D 'cn=root,dc=cm,dc=cluster' -w <password> -c -f /root/roroot.ldif

 

d. move the readonly group under the OU

[root@adel61-centos6-f ~]# cat rogroup.ldif

dn: cn=rogroup,dc=cm,dc=cluster

changetype: moddn

newrdn: cn=rogroup

deleteoldrdn: 1

newsuperior: ou=DisabledUsers,dc=cm,dc=cluster

 

# ldapmodify -x -h localhost -D 'cn=root,dc=cm,dc=cluster' -w <password> -c -f /root/rogroup.ldif

 

e. move the non-leaf entry (ou=Group,dc=cm,dc=cluster) under the OU

# cat group.ldif

dn: ou=Group,dc=cm,dc=cluster

changetype: moddn

newrdn: ou=Group

deleteoldrdn: 0

newsuperior: ou=DisabledUsers,dc=cm,dc=cluster

 

# ldapmodify -x -h localhost -D 'cn=root,dc=cm,dc=cluster' -w <password> -c -f /root/group.ldif

 

f. move user(s) under the OU

# cat cmsupport.ldif

dn: uid=cmsupport,dc=cm,dc=cluster

changetype: moddn

newrdn: uid=cmsupport

deleteoldrdn: 1

newsuperior: ou=DisabledUsers,dc=cm,dc=cluster

 

# ldapmodify -x -h localhost -D 'cn=root,dc=cm,dc=cluster' -w <password> -c -f /root/cmsupport.ldif

 

g. modify LDAP configurations to use the OU

# cat /cm/local/apps/openldap/etc/slapd.conf

[...]

rootdn          "cn=root,ou=DisabledUsers,dc=cm,dc=cluster"

[...]

 

# service ldap restart

 

h. modify CMDaemon configurations to use the OU

# cat /cm/local/apps/cmd/etc/cmd.conf

[...]

LDAPSearchDN = "ou=DisabledUsers,dc=cm,dc=cluster"

[...]

 

i. restart CMDaemon

# service cmd restart




Tags: -

Related entries:

You cannot comment on this entry